Installing SSL on Tomcat using certbot

What is SSL?

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private

Why SSL?

SSL is an important part of the web this day. The main two reasons are to establish trust in users eyes and to establish trust in Google. Our case study shows that websites that use SSL can rank much faster for some keywords then websites that don't use SSL.


Since we will cover in this post how to install SSL on Tomcat you will need to make sure that you have following before to start with these steps:
  • Linux
  • Tomcat
  • Certbot
In this step, we will show you how to install certbot, we predict that you already have installed Tomcat on Linux.

Install certbot on Amazon EC2 Linux 2

There are two options on how you can install certbot. First one is to clone it from git, you can find the repository on the following link The command which you need is following
  • git clone
In some cases the command above will not work, for that, we are providing you additional commands on how you can install certbot.
  • sudo amazon-linux-extras install epel
  • sudo yum install certbot

Installing SSL on Tomcat using certbot

Since we have installed certbot and tomcat now we need to generate our certificate.
  • Navigate under /usr/share( cd /usr/share/ )
  • Make new directory SSL ( sudo mkdir ssl )
  • Enter inside SSL folder ( cd ssl/ )
Now we have created a folder where we will store our certificate and first we need to create our keystore. In our case we will use as a name server.keystore, you can change it.
  • sudo keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/ssl/server.keystore -keysize 2048
The first point from the prompt dialog, where you are asked to enter first and last name, enter the exact domain for which you want to obtain SSL ( and use the same password everywhere.
Next step is to create CSR from keystore, and we can do it easily with the following command.
  • sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/ssl/server.keystore
Based on the CSR we need to request a new certificate which will be provided from Letsencrypt. For that purpose use the command below.
  • sudo certbot certonly --csr request.csr
This command will create one more file 0001_chain.pem
Now, we need to import the certificate in our keystore file.
  • sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /usr/share/ssl/server.keystore
That was the last command, and now we have our SSL ready.

Configure server.xml for SSL

The last step is to configure server.xml so we will be able to see and use our SSL. Before that, you need to stop tomcat.Uncomment connector which is for SSL. See the picture below keystorePass need to have the same value as value which you enter when you request SSL
keystoreFile need to be path where is our keystore file in our case /usr/share/ssl/server.keystore


SSL is an important part of website security. It is must have the part for serious websites and tools. The SSL is mentioned for one of the most important rank factors for SEO. Google will give you more trust if you have valid SSL on your website. So do not wait to install one on your website. There are also paid SSL but this one is good for small websites. For the develop purpose, you can use a self-signed certificate.